[PATCH 1/2] wiphy: add driver quirk to disable SAE

[PATCH 1/2] wiphy: add driver quirk to disable SAE

[James Prestwood]

SAE/WPA3 is completely broken on brcmfmac, at least without a custom
kernel patch which isn't included in many OS distributions. In order
to help with this add a driver quirk so devices with brcmfmac can
utilize WPA2 instead of WPA3 and at least connect to networks at
this capacity until the fix is more widely distributed.
---
 src/wiphy.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/wiphy.c b/src/wiphy.c
index c7df648a..46f7a6d9 100644
--- a/src/wiphy.c
+++ b/src/wiphy.c
@@ -74,6 +74,7 @@ enum driver_flag {
 	POWER_SAVE_DISABLE = 0x4,
 	OWE_DISABLE = 0x8,
 	MULTICAST_RX_DISABLE = 0x10,
+	SAE_DISABLE = 0x20,
 };
 
 struct driver_flag_name {
@@ -106,7 +107,8 @@ static const struct driver_flag_name driver_flag_names[] = {
 	{ "ForcePae",           FORCE_PAE },
 	{ "PowerSaveDisable",   POWER_SAVE_DISABLE },
 	{ "OweDisable",         OWE_DISABLE },
-	{ "MulticastRxDisable", MULTICAST_RX_DISABLE }
+	{ "MulticastRxDisable", MULTICAST_RX_DISABLE },
+	{ "SaeDisable",         SAE_DISABLE },
 };
 
 struct wiphy {
@@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask)
 
 static bool wiphy_can_connect_sae(struct wiphy *wiphy)
 {
+	if (wiphy->driver_flags & SAE_DISABLE)
+		return false;
+
 	/*
 	 * WPA3 Specification version 3, Section 2.2:
 	 * A STA shall not enable WEP and TKIP
@@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct wiphy *wiphy)
 		if (wiphy->driver_flags & MULTICAST_RX_DISABLE)
 			flags = l_strv_append(flags, "MulticastRxDisable");
 
+		if (wiphy->driver_flags & SAE_DISABLE)
+			flags = l_strv_append(flags, "SaeDisable");
+
 		joined = l_strjoinv(flags, ' ');
 
 		l_info("\tDriver Flags: %s", joined);
-- 
2.34.1

[PATCH 2/2] doc: document [DriverQuirks].SaeDisable

[James Prestwood]

---
 src/iwd.config.rst | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/iwd.config.rst b/src/iwd.config.rst
index 0dd9d978..4ba7b4e7 100644
--- a/src/iwd.config.rst
+++ b/src/iwd.config.rst
@@ -465,6 +465,14 @@ are buggy or just don't behave similar enough to the majority of other drivers.
        If a driver in use matches one in this list, multicast RX will be
        disabled.
 
+   * - SaeDisable
+     - Values: comma-separated list of drivers or glob matches
+
+       If a driver in use matches one in this list, SAE/WPA3 will be disabled
+       for connections. This will prevent connections to WPA3-only networks, but
+       will allow for connections to WPA3/WPA2 hybrid networks by utilizing
+       WPA2.
+
 SEE ALSO
 ========
 
-- 
2.34.1

Re: [PATCH 1/2] wiphy: add driver quirk to disable SAE

[KeithG]

On Tue, Feb 11, 2025 at 1:59 PM James Prestwood <prestwoj@gmail.com> wrote:
>
> SAE/WPA3 is completely broken on brcmfmac, at least without a custom
> kernel patch which isn't included in many OS distributions. In order
> to help with this add a driver quirk so devices with brcmfmac can
> utilize WPA2 instead of WPA3 and at least connect to networks at
> this capacity until the fix is more widely distributed.
> ---
>  src/wiphy.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/src/wiphy.c b/src/wiphy.c
> index c7df648a..46f7a6d9 100644
> --- a/src/wiphy.c
> +++ b/src/wiphy.c
> @@ -74,6 +74,7 @@ enum driver_flag {
>         POWER_SAVE_DISABLE = 0x4,
>         OWE_DISABLE = 0x8,
>         MULTICAST_RX_DISABLE = 0x10,
> +       SAE_DISABLE = 0x20,
>  };
>
>  struct driver_flag_name {
> @@ -106,7 +107,8 @@ static const struct driver_flag_name driver_flag_names[] = {
>         { "ForcePae",           FORCE_PAE },
>         { "PowerSaveDisable",   POWER_SAVE_DISABLE },
>         { "OweDisable",         OWE_DISABLE },
> -       { "MulticastRxDisable", MULTICAST_RX_DISABLE }
> +       { "MulticastRxDisable", MULTICAST_RX_DISABLE },
> +       { "SaeDisable",         SAE_DISABLE },
>  };
>
>  struct wiphy {
> @@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask)
>
>  static bool wiphy_can_connect_sae(struct wiphy *wiphy)
>  {
> +       if (wiphy->driver_flags & SAE_DISABLE)
> +               return false;
> +
>         /*
>          * WPA3 Specification version 3, Section 2.2:
>          * A STA shall not enable WEP and TKIP
> @@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct wiphy *wiphy)
>                 if (wiphy->driver_flags & MULTICAST_RX_DISABLE)
>                         flags = l_strv_append(flags, "MulticastRxDisable");
>
> +               if (wiphy->driver_flags & SAE_DISABLE)
> +                       flags = l_strv_append(flags, "SaeDisable");
> +
>                 joined = l_strjoinv(flags, ' ');
>
>                 l_info("\tDriver Flags: %s", joined);
> --
> 2.34.1
>
>
James,

What should I do with this patch? Should I apply it? (I do not think I
should). I am trying to get the kernel patch in the 6.6 kernel. They,
RPiOS, just pushed a new kernel 6.6.74 and the one line patch is not
yet in there.

I guess I do not really understand what you are proposing. The default
RPI kernel, with the patched version of IWD 3.3 (with the'[RFC]
netdev: avoid PMKSA for fullmac drivers') patch will connect properly
with wpa2 SSIDs when used with the un-patched kernel. The patched
kernel will also connect to WPA2 SSIDs with the bonus of connecting to
WPA3 as well.

Curious,

Keith

Re: [PATCH 1/2] wiphy: add driver quirk to disable SAE

[James Prestwood]

Hi Keith,

On 2/11/25 12:32 PM, KeithG wrote:
> On Tue, Feb 11, 2025 at 1:59 PM James Prestwood <prestwoj@gmail.com> wrote:
>> SAE/WPA3 is completely broken on brcmfmac, at least without a custom
>> kernel patch which isn't included in many OS distributions. In order
>> to help with this add a driver quirk so devices with brcmfmac can
>> utilize WPA2 instead of WPA3 and at least connect to networks at
>> this capacity until the fix is more widely distributed.
>> ---
>>   src/wiphy.c | 10 +++++++++-
>>   1 file changed, 9 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/wiphy.c b/src/wiphy.c
>> index c7df648a..46f7a6d9 100644
>> --- a/src/wiphy.c
>> +++ b/src/wiphy.c
>> @@ -74,6 +74,7 @@ enum driver_flag {
>>          POWER_SAVE_DISABLE = 0x4,
>>          OWE_DISABLE = 0x8,
>>          MULTICAST_RX_DISABLE = 0x10,
>> +       SAE_DISABLE = 0x20,
>>   };
>>
>>   struct driver_flag_name {
>> @@ -106,7 +107,8 @@ static const struct driver_flag_name driver_flag_names[] = {
>>          { "ForcePae",           FORCE_PAE },
>>          { "PowerSaveDisable",   POWER_SAVE_DISABLE },
>>          { "OweDisable",         OWE_DISABLE },
>> -       { "MulticastRxDisable", MULTICAST_RX_DISABLE }
>> +       { "MulticastRxDisable", MULTICAST_RX_DISABLE },
>> +       { "SaeDisable",         SAE_DISABLE },
>>   };
>>
>>   struct wiphy {
>> @@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask)
>>
>>   static bool wiphy_can_connect_sae(struct wiphy *wiphy)
>>   {
>> +       if (wiphy->driver_flags & SAE_DISABLE)
>> +               return false;
>> +
>>          /*
>>           * WPA3 Specification version 3, Section 2.2:
>>           * A STA shall not enable WEP and TKIP
>> @@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct wiphy *wiphy)
>>                  if (wiphy->driver_flags & MULTICAST_RX_DISABLE)
>>                          flags = l_strv_append(flags, "MulticastRxDisable");
>>
>> +               if (wiphy->driver_flags & SAE_DISABLE)
>> +                       flags = l_strv_append(flags, "SaeDisable");
>> +
>>                  joined = l_strjoinv(flags, ' ');
>>
>>                  l_info("\tDriver Flags: %s", joined);
>> --
>> 2.34.1
>>
>>
> James,
>
> What should I do with this patch? Should I apply it? (I do not think I
> should). I am trying to get the kernel patch in the 6.6 kernel. They,
> RPiOS, just pushed a new kernel 6.6.74 and the one line patch is not
> yet in there.
>
> I guess I do not really understand what you are proposing. The default
> RPI kernel, with the patched version of IWD 3.3 (with the'[RFC]
> netdev: avoid PMKSA for fullmac drivers') patch will connect properly
> with wpa2 SSIDs when used with the un-patched kernel. The patched
> kernel will also connect to WPA2 SSIDs with the bonus of connecting to
> WPA3 as well.

The issue I'm solving here is if you have a hybrid WPA2/WPA3 network. 
IWD will always prefer WPA3, but any brcmfmac devices _without_ a 
patched kernel will fail to connect and WPA2 is never tried. This patch 
allows the user to set this new option, which will avoid WPA3 entirely. 
Basically, its gets brcmfmac "working" to some extent using WPA2 vs 
completely non-functional for WPA3/WPA2 hybrid networks.

Applying this patch won't have any effect unless you set the option in 
main.conf.

>
> Curious,
>
> Keith

Re: [PATCH 1/2] wiphy: add driver quirk to disable SAE

[James Prestwood]

Hi Keith,

On 2/11/25 12:36 PM, James Prestwood wrote:
> Hi Keith,
>
> On 2/11/25 12:32 PM, KeithG wrote:
>> On Tue, Feb 11, 2025 at 1:59 PM James Prestwood <prestwoj@gmail.com> 
>> wrote:
>>> SAE/WPA3 is completely broken on brcmfmac, at least without a custom
>>> kernel patch which isn't included in many OS distributions. In order
>>> to help with this add a driver quirk so devices with brcmfmac can
>>> utilize WPA2 instead of WPA3 and at least connect to networks at
>>> this capacity until the fix is more widely distributed.
>>> ---
>>>   src/wiphy.c | 10 +++++++++-
>>>   1 file changed, 9 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/src/wiphy.c b/src/wiphy.c
>>> index c7df648a..46f7a6d9 100644
>>> --- a/src/wiphy.c
>>> +++ b/src/wiphy.c
>>> @@ -74,6 +74,7 @@ enum driver_flag {
>>>          POWER_SAVE_DISABLE = 0x4,
>>>          OWE_DISABLE = 0x8,
>>>          MULTICAST_RX_DISABLE = 0x10,
>>> +       SAE_DISABLE = 0x20,
>>>   };
>>>
>>>   struct driver_flag_name {
>>> @@ -106,7 +107,8 @@ static const struct driver_flag_name 
>>> driver_flag_names[] = {
>>>          { "ForcePae",           FORCE_PAE },
>>>          { "PowerSaveDisable",   POWER_SAVE_DISABLE },
>>>          { "OweDisable",         OWE_DISABLE },
>>> -       { "MulticastRxDisable", MULTICAST_RX_DISABLE }
>>> +       { "MulticastRxDisable", MULTICAST_RX_DISABLE },
>>> +       { "SaeDisable",         SAE_DISABLE },
>>>   };
>>>
>>>   struct wiphy {
>>> @@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct 
>>> wiphy *wiphy, uint16_t mask)
>>>
>>>   static bool wiphy_can_connect_sae(struct wiphy *wiphy)
>>>   {
>>> +       if (wiphy->driver_flags & SAE_DISABLE)
>>> +               return false;
>>> +
>>>          /*
>>>           * WPA3 Specification version 3, Section 2.2:
>>>           * A STA shall not enable WEP and TKIP
>>> @@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct 
>>> wiphy *wiphy)
>>>                  if (wiphy->driver_flags & MULTICAST_RX_DISABLE)
>>>                          flags = l_strv_append(flags, 
>>> "MulticastRxDisable");
>>>
>>> +               if (wiphy->driver_flags & SAE_DISABLE)
>>> +                       flags = l_strv_append(flags, "SaeDisable");
>>> +
>>>                  joined = l_strjoinv(flags, ' ');
>>>
>>>                  l_info("\tDriver Flags: %s", joined);
>>> -- 
>>> 2.34.1
>>>
>>>
>> James,
>>
>> What should I do with this patch? Should I apply it? (I do not think I
>> should). I am trying to get the kernel patch in the 6.6 kernel. They,
>> RPiOS, just pushed a new kernel 6.6.74 and the one line patch is not
>> yet in there.
>>
>> I guess I do not really understand what you are proposing. The default
>> RPI kernel, with the patched version of IWD 3.3 (with the'[RFC]
>> netdev: avoid PMKSA for fullmac drivers') patch will connect properly
>> with wpa2 SSIDs when used with the un-patched kernel. The patched
>> kernel will also connect to WPA2 SSIDs with the bonus of connecting to
>> WPA3 as well.
>
> The issue I'm solving here is if you have a hybrid WPA2/WPA3 network. 
> IWD will always prefer WPA3, but any brcmfmac devices _without_ a 
> patched kernel will fail to connect and WPA2 is never tried. This 
> patch allows the user to set this new option, which will avoid WPA3 
> entirely. Basically, its gets brcmfmac "working" to some extent using 
> WPA2 vs completely non-functional for WPA3/WPA2 hybrid networks.
>
> Applying this patch won't have any effect unless you set the option in 
> main.conf.

Also by the way, that patch referenced in the earlier thread(s) with 
Arend doesn't seem to apply to the 6.6 rasbian kernel. Looks like that 
file has changed locations between 6.6 and upstream so its an easy 
modification, but that might be a reason the Raspi kernel folks wouldn't 
take it.
>
>>
>> Curious,
>>
>> Keith

Re: [PATCH 1/2] wiphy: add driver quirk to disable SAE

[James Prestwood]

All,

On 2/11/25 11:58 AM, James Prestwood wrote:
> SAE/WPA3 is completely broken on brcmfmac, at least without a custom
> kernel patch which isn't included in many OS distributions. In order
> to help with this add a driver quirk so devices with brcmfmac can
> utilize WPA2 instead of WPA3 and at least connect to networks at
> this capacity until the fix is more widely distributed.

Both for my own reference and so others don't have to go digging through 
threads. The kernel patch that fixes SAE/WPA3 on brcmfmac can be found here:

https://lore.kernel.org/linux-wireless/20241215120401.238320-1-arend.vanspriel@broadcom.com/

> ---
>   src/wiphy.c | 10 +++++++++-
>   1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/src/wiphy.c b/src/wiphy.c
> index c7df648a..46f7a6d9 100644
> --- a/src/wiphy.c
> +++ b/src/wiphy.c
> @@ -74,6 +74,7 @@ enum driver_flag {
>   	POWER_SAVE_DISABLE = 0x4,
>   	OWE_DISABLE = 0x8,
>   	MULTICAST_RX_DISABLE = 0x10,
> +	SAE_DISABLE = 0x20,
>   };
>   
>   struct driver_flag_name {
> @@ -106,7 +107,8 @@ static const struct driver_flag_name driver_flag_names[] = {
>   	{ "ForcePae",           FORCE_PAE },
>   	{ "PowerSaveDisable",   POWER_SAVE_DISABLE },
>   	{ "OweDisable",         OWE_DISABLE },
> -	{ "MulticastRxDisable", MULTICAST_RX_DISABLE }
> +	{ "MulticastRxDisable", MULTICAST_RX_DISABLE },
> +	{ "SaeDisable",         SAE_DISABLE },
>   };
>   
>   struct wiphy {
> @@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask)
>   
>   static bool wiphy_can_connect_sae(struct wiphy *wiphy)
>   {
> +	if (wiphy->driver_flags & SAE_DISABLE)
> +		return false;
> +
>   	/*
>   	 * WPA3 Specification version 3, Section 2.2:
>   	 * A STA shall not enable WEP and TKIP
> @@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct wiphy *wiphy)
>   		if (wiphy->driver_flags & MULTICAST_RX_DISABLE)
>   			flags = l_strv_append(flags, "MulticastRxDisable");
>   
> +		if (wiphy->driver_flags & SAE_DISABLE)
> +			flags = l_strv_append(flags, "SaeDisable");
> +
>   		joined = l_strjoinv(flags, ' ');
>   
>   		l_info("\tDriver Flags: %s", joined);